Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In EmpowerID, a Business Role is a user-defined hierarchical container for grouping EmpowerID Person objects that can be used to delegate the combination of Business Roles and Locations allows for efficient and flexible management of access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization, allowing for polyarchical RBAC resource assignments. This is implemented in EmpowerID via tree interfaces (with inheritance) that allow for the intersection of Business Roles with Locations to support the followingjob functions and locations within an organization. This polyarchical RBAC resource assignment approach is facilitated through tree interfaces that support:

  1. Static assignments of people

...

  1. : Individuals can be directly

...

  1. assigned to a Business Role and Location combination based on their job function

...

  1. and

...

  1. location

...

  1. . This grants them access to the resources associated with the Business Role and Location.

  2. RBAC mapping

...

  1. : Existing physical directory locations and roles

...

  1. can be mapped to logical EmpowerID Locations

...

  1. to simplify resource management

...

  1. and hide the complexity of

...

  1. back-end directory

...

  1. structures from business users.

...

  1. This allows resources in physical directory containers to "belong" to the corresponding EmpowerID

...

  1. Location,

...

  1. granting users access to

...

  1. resources when assigned to a Business Role and Location.

  2. SetGroup mapping

...

  1. : SetGroups

...

  1. containing collections of EmpowerID Person objects can be mapped to Business Roles and Locations

...

  1. , enabling people in

...

  1. the SetGroup to receive

...

  1. Access Level assignments

...

  1. associated with the Business Role and Location.

...

Locations

To assign resources to users, those resources must be located somewhere. In EmpowerID, the "somewhere" is an object known as the "EmpowerID Location." An EmpowerID Location is a container used to group resources for scoping access to those resources. This occurs through the use of two types of Location trees: The "External Locations" tree and the "EmpowerID Locations" tree. The External Locations tree represents the location of resources in the actual resource systems to which EmpowerID is connected. EmpowerID maintains a dynamic link with these resource system locations, reflecting any changes in the structure of an external location in this tree. The EmpowerID Locations tree is a user-defined logical representation of an enterprise's organizational and geographical structure that can be mapped to actual resource locations in the External Locations tree.

When EmpowerID connects to a resource system, it copies the structure of that resource system into the External Locations tree, maintaining a dynamic link through it to the actual locations of the resources in the resource system. Once the External Locations tree is populated, you can create EmpowerID Locations, map them to the External Locations and then use those EmpowerID Locations for assigning the resources in your resource systems to the users in your organization.

  • Direct Static Assignment – Resources can be manually assigned to one or more EmpowerID Locations.

  • Implicit Assignment – Resources automatically belong to their resource system and their actual "location" in that system. For example, Active Directory objects belong to their OUs, and SharePoint objects belong to their site in the site tree.

  • RBAC Mapping – EmpowerID "logical" Locations can be created that map to one or more "physical" resource system locations. Once a mapping occurs, resources will automatically belong to any EmpowerID Location mapped to the actual resource system location of those resources.

  • Relative Location Assignment – Resources automatically belong to "relative" assignments that can be used with relative Access Levels.

Locations in EmpowerID include the following:

Logical Locations

Logical locations in EmpowerID represent an enterprise’s organizational and geographical structure in a way that mirrors its operational model. Logical locations are optional, user-defined tools that can be used to create intuitive, business-friendly nodes on a hierarchical locations tree that offers delegated users the ability to interact more easily with system resources. These logical locations map to the physical locations of your resource systems and always reflect the resources inclusive to that location. When mapping occurs, all the resources or objects located in the directory are assigned to their corresponding logical location and can be used when delegating user rights. If a resource is removed from the external location, it is removed from the corresponding logical location; if a resource is added to the external location, it is added to the corresponding logical location.

External Locations

These are the locations of your resources in your resource systems.

All IT Systems

The All IT Systems location is a default EmpowerID location below, which resides locations for all the IT systems that EmpowerID protects, including the EmpowerID system itself. Within this location, EmpowerID creates and dynamically maintains the locations that represent the various resource systems, such as Active Directory, Microsoft Exchange, and Microsoft SharePoint, to which EmpowerID connects and manages via the inventory process. Resources inventoried from the managed resource system automatically exist in their corresponding EmpowerID location. Their EmpowerID location updates if it changes in the external system because these locations map to actual resources, the internal structure of these locations should not be reorganized or modified.

These locations differ from standard EmpowerID locations in the following few key ways:

  • Due to the dynamic nature of these locations, the All IT Systems locations are hidden from the role and location selectors that are used to assign Business Roles and locations to Person objects and are not intended to be used for those purposes. An exception to this is when it is desirous to utilize the actual structure of the Active Directory as a business location rather than recreating it in a logical representation. In this case, it is necessary to map your directory.

  • These locations are maintained automatically via inventory. They move when moved in the external system and are deleted when deleted in the external system.

  • These locations are not mapped to external locations with the RBAC Mapper as they automatically map one-to-one to an actual external location.

  • Resources are not assigned to these locations as the resources belonging to these locations reflect what exists in the external location.

Resource Systems Locations

...

  1. This helps in organizing users based on specific attributes and granting them access accordingly.

By leveraging Business Roles and Locations, EmpowerID allows organizations to easily manage access to resources based on an individual's job function and location within the organization, enhancing security and streamlining resource management.

Tip

EmpowerID provides several ways by which resources can belong to a location:

  • If a resource has been manually assigned to a location, then it belongs to that location.

  • Locations are resources that belong to themselves as a location.

  • Person objects belong to the location of the person's primary Business Role and Location. If a person is assigned a secondary Business Role and Location, the Person object does not belong to the secondary location. Person objects also belong to any locations that their person is assigned manually as a resource or through a Set Group.

  • If the resource has a path (currently user accounts, computers, Exchange mailboxes), the resource belongs to any locations mapped to an external location whose path matches the ParentPath field of the resource. When this is the case, the external location is actually the parent OU of the object in the external directory.

  • If the resource is an account and a person owns it (joined), the user account belongs to the person's primary Business Role and location.

  • If the resource is an Exchange Mailbox, and its account is assigned to a person, it belongs to the person's primary Business Role and location.

  • Special "Resource System Match" locations that represent an Account Store or Resource System to which the resources belong: These are designated as locations of ResourceSystemType = 12, and the ResourceSystem of the resource is the same as that set for the MatchingResourceSystemID of that location.

  • A resource belongs to any parent location of any location to which it has been assigned using the above criteria. The only exception to this rule is the location root node, Anywhere. Resources do not belong to this node unless they are direct children of that location or the resource has been explicitly assigned there.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Macrosuite divider macro
dividerWidth100
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSizemedium
fontSizemedium
textRelated Content
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconfont-awesome/BookReader

What is an Organization?

Create Business Roles

...